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®^ (57) Abstract: A system for security and authorization processing in digital terminals. The processing load of a security processor 
15 (250) at the terminal (150) is reduced by configuring a multiple applications manager (MAM) (240) to determine if frequently- 
— . transmitted application data should be downloaded. The security processor is used by the MAM to build a local virtual application 

table (260) that indicates which applications are authorized for downloading. The security processor configures the terminal with an 

authorization state so that it knows which applications it is authorized to download, i.e., the applications (316', 334', 376') whose 
Q required authorization state correlate with the terminal's configured authorization state. The security processor is accessed when the 

terminals authorization state changes, or when a required authorization state of an application changes. These events are typically 

relatively infrequent. 
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OBJECT AND FEATURE AUTHORIZATION FOR DIGITAL 
COMMUNICATION TERMINALS 

BACKGROUND OF THE INVENTION 

This application claims the benefit of U.S. 
5 Provisional Application No. 60/161,228, filed October 

22, 1999, and PCT Application No. PCT/US99/24745 , 
entitled "Method And Apparatus For Managing Multiple 
Applications In Large Scale Networks", filed October 
22, 1999. 

10 The present invention relates to digital 

communications, and more particularly to the use of a 
digital message (such as a Virtual Object message 
encapsulated within an MPEG message) , transmitted 
across any network (such as delivered via a broadband 

15 cable network) , to deliver information to a digital 

consumer terminal. The mechanisms, messages and data 
structures, which allow a digital network to manage and 
utilize the authorization and security features for 
multiple applications in consumer terminals are 

20 described. 

Various software applications, such as an 
electronic program guide (EPG) , e-mail, web browser, 
shop or bank at home, stock ticker, and the like, can 
be written for digital terminals. These applications 

25 enhance the user's experience and increase the revenue 

for service providers and for equipment manufacturers . 
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However, the processing of authorizing the 
terminals to acquire and enable the code objects for 
these applications places a burden on the limited 
resources of the security processor in the terminal . 
5 The applications are typically downloaded from a 

download server in the digital network and acquired by 
a downloader module in the digital terminal . The 
download server encapsulates small chunks of the 
application's object code into download messages, known 

10 as Tune Download Channel Message, e.g., which are 

MPEG2- compliant . The messages are inserted into the 
downstream path of the digital network for acquisition 
by the terminals. However, these message are 
transmitted relatively frequently, e.g., in a 

15 carouselled manner. 

Conventionally, each time the application data is 
received at the terminal, the security processor is 
required to determine whether the terminal is 
authorized to process the Tune Download Channel 

20 Message. If the terminal is authorized to process the 

message, the downloader module in the terminal tunes to 
a specified channel (PID stream) for the download 
messages containing the application object code. The 
download messages containing the object code for an 

25 application are normally transmitted in sequence, with 

sequence numbers, continuously and repeatedly (e.g., in 
a process known as carouselling) so that they are 
available in the download stream whenever a terminal 
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finds a need to acquire them. Moreover, the object 
code for typical applications may be large, needing a 
large number of download messages to transmit the 
complete application. Hence, in order to minimize the 
acquisition time of an application by a terminal, it is 
advisable that the terminal can start acquiring 
download messages at any point in the transmission 
sequence of the object code. 

As a result, the Tune Download Channel Messages 
(containing tier match decoder conditions) for an 
application are transmitted downstream frequently, 
which results in a significant authorization processing 
burden on the security processor. 

Moreover, newer versions of terminal firmware will 
support a Multiple Applications Management (MAM) 
environment, such as described in co-pending, commonly- 
assigned PCT Application No. PCT/US99/24745 , entitled 
"Method And Apparatus For Managing Multiple 
Applications In Large Scale Networks", filed October 
22, 1999. 

A MAM environment allows multiple virtual 
applications to be downloaded into a terminal. Under 
MAM, the number of applications available to a terminal 
is expected to grow considerably, beyond the single 
traditional EPG application. As a result, it is 
expected and observed in tests, that the security 
processor will be burdened beyond its capacity for 
keeping up with authorization processing for the 
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download of multiple applications. Moreover , the 
security processor will be impaired from performing 
other tasks, such as decrypting encrypted programming 
services, e.g., for pay-per-view, near-video-on-demand 
5 and other premium services . 

Accordingly, it would be advantageous to provide a 
system that application data to be securely delivered 
to a terminal, yet reduces processing requirements of a 
security processor at the terminal . 
10 Such a system should be much less expensive than 

currently available solutions in terms of security chip 
processing . 

The present invention provides a system having the 
above and other advantages. 
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SUMMARY OF THE INVENTION 

The present invention relates to security and 
authorization processing in digital terminals. The 
invention is particularly suitable for use when such 
5 terminals are operating in a Multiple Applications 

Management (MAM) environment in a digital network, but 
can be adapted for other uses as well that have a need 
to control the downloading and authorizing of 
applications at a terminal. 

10 The invention reduces the overhead and expense of 

security chip processing in terminals for the 
processing of Tune Download Channel Messages (TDCMs) 
associated with large numbers of applications at the 
terminal . These TDCMs are transmitted very frequently 

15 by a controller in the digital network, and inform the 

terminals about which channel to tune to for acquiring 
the object code, and provide data for applications 
which can be enabled and executed on the terminals. 
In particular, TDCMs may contain decoder 

20 conditionals in the message preamble portion of the 

MPEG message. A determination as to whether or not the 
terminal will continue to process the remainder of the 
message is based upon the success or failure of the 
decoder conditional terms. One such decoder 

25 conditional is a tier match condition, which is 

specified in the TDCM preamble. 
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An MPEG packet processor module within a terminal 
receives the MPEG messages . When the MPEG packet 
processor receives a TDCM containing a tier match 
decoder condition, the message is passed to a user 
5 processor. The user processor asks a message preamble 

handler to check if the terminal is authorized for 
processing the message. The message preamble handler 
interrogates the security processor module within the 
terminal, an example of which is the TSODA processor 
10 used in terminals manufactured by Motorola Corporation. 

The security processor checks the tier match 
conditions specified for the TDCM against the 
authorization rights independently obtained by the 
terminal via Entitlement Management Messages (EMMs) . A 
15 sequence of non-trivial processing is needed in the 

security processor to check the tier match 
authorization. 

The invention bypasses the use of tier match 
decoder condition message preambles with TDCMs, thereby 
20 reducing the need for security chip processing. In 

particular, newly created messages processed by the MAM 
module in the terminals provide the authorization 
requirements of the applications. The MAM maintains 
the authorization states of applications in non- 
25 volatile memory. 

In particular, when a TDCM is received by the 
downloader module in the terminal, the MAM informs the 
downloader about the authorization state of the 
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application directly from the MAM 1 s internal table. 
Thus, the security processor is not queried to see if 
an application in a download message is authorized for 
download. The security processor only need be queried 
5 when authorization rights of the terminal change, or 

when new application data or authorization requirements 
are received. 

This avoids unnecessary repeat queries of the 
security processor, which would otherwise occur due to 

10 the repeated broadcast (carouselling) of the 

applications . 

Moreover, backward compatibility is preserved for 
terminals which are not running MAM capable firmware 
(platform code) . 

15 A particular method for processing data in a 

digital user terminal includes the steps of providing 
data to the terminal that includes at least terminal 
authorization rights, configuration data, and download 
messages. The download messages include application 

20 data for applications that are executable on the 

terminal. The applications have associated required 
authorization requirements. The terminal authorization 
rights are processed at a security processor at the 
terminal to configure an authorization state of the 

25 terminal. Additionally, the configuration data is 

processed at a multiple applications manager (MAM) at 
the terminal to configure the terminal to receive the 
application data. The MAM queries the security 
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processor to establish a database of the applications 
whose required authorization states correlate with the 
terminal's authorization state. Additionally, the 
download messages are processed to determine whether to 
5 download or discard the application data received at 

the terminal in accordance with the database. 

A corresponding apparatus is also presented. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 illustrates an overview of a digital 
network for providing multiple application management 
in accordance with the present invention. 
5 FIG . 2 illustrates a digital terminal with a 

multiple application management capability in 
accordance with the present invention. 

FIG. 3 illustrates the creation of a local virtual 
application table (VAT) for a terminal based on the 
10 terminal's authorized tiers in accordance with the 

present invention. 

FIG. 4 illustrates an example dynamically-created 
menu of the available applications at a terminal in 
accordance with the present invention. 
15 FIG. 5(a) illustrates a method for processing 

configuration and application data in accordance with 
the present invention. 

FIG. 5(b) illustrates a method for processing 
terminal authorization rights in accordance with the 
20 present invention. 

FIG. 5(c) illustrates a method for processing a 
tune download message in accordance with the present 
invention . 
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DETAILED DESCRIPTION OF THE INVENTION 

The present invention relates to security and 
authorization processing in digital terminals and, more 
particularly, to the use of a digital message (such as 
5 a Virtual Object message encapsulated within an MPEG 

message) , transmitted across any network (such as 
delivered via a broadband cable network) , to deliver 
information to a digital consumer terminal. 

The following terms and acronyms are used: 
10 EMM - Entitlement Management Message 

MAM - Multiple Applications Management/Manager 

PID - Packet Identifier 

TDCM - Tune Download Control Message 

VAT - Virtual Application Table 
15 HTTP - Hyper Text Transport Protocol 

TDCM - Tune Download Control Message 

VOM - Virtual Object Message 

For example, the following types of information 
can be provided in accordance with the invention: 
20 A. Software application specific information (such as 

the VAT), including, but not limited to: 

i) Application authorization requirements used 
to authorize the download of an application 
to a terminal, 

25 ii) Application authorization requirements used 

to authorize the execution of (or enabling 
of) an application in a terminal, 
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iii) Application feature authorization 

requirements used to authorize such features 
on a terminal (e.g., built-in e-mail, video- 
on-demand, or web browsing capabilities 
5 associated with an application such as an 

electronic program guide) . 
B. Initialization and configuration information 
allowing for: 

i) A digital consumer terminal to receive the 

10 software specific information listed above. 

In a MAM environment, such as described in PCT 
Application No. PCT/US99/24745 , digital terminals can 
be authorized for acquiring and enabling of multiple 
applications by messages created, encapsulated in MPEG 

15 format, and sent by a controller (e.g., a DAC) to the 

terminals. MAM is implemented by using some new, as 
well as some existing messages that are modified and/or 
interpreted differently. MAM uses the Security 
Processor module within the terminal to determine which 

20 of the multiple applications is authorized for 

acquisition and enabling by the terminal. 

FIG. 1 provides an overview of a digital network 
capable of providing Multiple Application Management. 

A business system 105, which may be located at, or 

25 otherwise be in communication with, the headend 115 of 

a network such as a cable or satellite television 
network, manages the billing and authorization of 
applications for each specific terminal in a network. 
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Users of the network can make arrangements to 
receive authorizations for the applications using 
conventional techniques, e.g., by phoning an operator 
and authorizing a credit card payment, or by use of an 
5 upstream communication path on the network, if 

available. The business system 105 can be implemented 
with a computer and known record-keeping and billing 
procedures . 

The business system 105 communicates with a 
10 controller 120, which communicates with a download 

server 110. The download server 110 transmits the 
application data via an interface 13 0, and physical 
network and intermediate equipment 14 0 to a terminal 
150, which may be in a large terminal population. 
15 Alternatively, or in addition, control data can be 

provided to the terminal 150 by other means, such as 
locally using a smart card, or at the time of 
installation or manufacture of the terminal. The 
controller 12 0 thus configures and authorizes the 
20 terminals under the control of the Business System 105. 

Programming services, e.g., conventional 
television programs, or other video, audio or other 
data, is provided by a programming services function 
125. 

25 The application and control data can be 

encapsulated in transport packets, for example, such as 
MPEG-2 packets, using known techniques. 
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The physical network and intermediate equipment 
14 0 may include cable and/or optical fiber, as well as 
required switches, amplifiers and other conventional 
components . 

5 FIG. 2 illustrates a digital terminal with 

multiple application management capability in 
accordance with the present invention. Like-numbered 
elements correspond to one another in the figures. The 
terminal 150 receives MPEG messages (packets) , such as 
10 an example packet 205, from a communication channel. 

Use of MPEG packets is discussed herein only as an 
example. Any digital data transport protocol may be 
used. 

An MPEG packet processor and packet identifier 
15 (PID) filter 210 processes the packet 205 to recover 

the control data from the controller 12 0 of FIG. 1, 
which is provided to a security processor 250 and a MAM 
240. The MAM 240 and other terminal functions can be 
implemented using any known software, firmware and/or 
2 0 hardware techniques. 

The control data, including authorization state 
data, can be stored at a memory associated with the 
terminal 150, such as in the non-volatile memory 234. 
A volatile memory 232 may also be provided. The packet 
25 processor 210 also recovers the application data and 

forwards it to a downloader 230. The downloader 230 
uses the associated memory 234 for storing the 
downloaded application data, including the applications 
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themselves, such as code objects. "Downloading" refers 
to recovering and storing. The downloader 23 0 also 
receives a TDCM that commands it to download particular 
applications, and/or particular versions of the same 
5 application from a specific channel. The channel may 

be identified by a PID in a known manner. 

The packet processor 210 may also recover 
conventional programming services for decoding, e.g., 
at an MPEG video decoder 215, and display on a display 
10 200. 

The MAM 24 0 can output data to the display 2 00 for 
launching the applications separately or together with 
data from a programming service. 

The MAM 24 0 can also output data to the display 

15 200 for providing an on-screen menu of available 

applications (see FIG. 4) . A user may interact with 
the menu via a user command processor 255, e.g., which 
receives input signals from a keyboard, infra-red 
remote control or the like. 

20 The security processor 250, a Local VAT memory 

260, a Home VAT data memory 265, and a message 
router/filter 225 communicate with the MAM 240. Home 
VAT data refers to common VAT table that is downloaded 
to all terminals, while local VAT data refers to data 

25 that is used by each terminal, and is derived as a 

subset of the home VAT data based on the terminal 1 s 
authorization state. Essentially, the local VAT data 
designates the latest version of each application that 
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a terminal is authorized to download and access. The 
local VAT data can therefore be different for different 
terminals . 

The message f ilter/router 225 sends data such as 
5 control data and authorization data, including the home 

VAT data and EMMs to the MAM 24 0, while the application 
code (software) is sent to the downloader 230. 

With the present invention, control data is used 
to authorize terminals to acquire multiple 
10 applications, and to enable the applications for use 

within the terminal . 

The MAM 24 0 can be implemented by using new 
messages in the terminal 150, as well as some existing 
messages that are modified and/or interpreted 
15 differently. 

The MAM 240 receives and processes these messages, 
and uses the security processor 250 to determine which 
of the multiple applications is authorized for 
acquisition and enabling at the terminal. 
20 Virtual applications are applications that can be 

identified, downloaded, and enabled under the control 
of the MAM 240. The virtual applications can be 
transported to the terminal 150 in download messages. 
However, the applications could be downloaded via other 
25 means, such as via HTTP. 

The data structures and information contained in 
the messages provide authorization requirements needed 
by a terminal for downloading an application. They 
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also may provide authorization requirements needed by a 
terminal for enabling and executing an application or 
any special characteristics that may be associated with 
the application. 
5 In addition, via other messages sent by the 

controller, the terminal receives authorization rights 
for an application or for any special characteristics 
associated with an application. For example, EMMs sent 
from the controller can authorize a terminal for an 

10 application or its characteristics. This is analogous 

to authorizing a terminal for a video service. 

Using the authorization requirements and the 
authorization rights, the MAM 240 uses the security 
processor module 250 to determine the authorization 

15 state of any given version of an application or its 

special characteristics. The MAM 240 maintains the 
authorization state of a virtual application in 
internal tables in the non-volatile memory 234 so that 
the information is preserved across terminal resets. 

20 The authorization state of an application 

determines if an application can be downloaded by the 
terminal. In other words, whether an application (or a 
specific version of the application) is acquired into, 
preserved in, purged from, or deleted from, the 

25 terminal's memory is dependent on the authorization 

state of the application. 

In accordance wit the invention, the receipt of a 
TDCM by a terminal does not result in any processing by 
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the security processor 250. Instead, the MAM 240 
obtains the authorization state information for the 
virtual application from its internal tables, and 
informs the downloader 230 whether the application is 
5 authorized for acquisition or not. The present 

invention therefore minimizes the processing overhead 
on the security processor 250. 

A MAM system is provided in which the tier match 
decoder condition is eliminated from the message 

10 preamble of the MPEG encapsulation of the TDCM. 

Consequently, security chip processing is eliminated 
when a terminal receives a TDCM. The TDCM informs a 
terminal which channel to tune to for acquiring the 
code object for an application. 

15 Information about all the applications which a 

terminal could acquire and/or enable is provided to the 
terminal by using a Virtual Object Message (VOM) . The 
VOM is part of the set of new or modified messages used 
for supporting the MAM feature in digital networks. 

20 This message is described in more detail in Section 

1.1.3 below. The VOM is sent to, and received by, a 
terminal prior to the terminal receiving and processing 
TDCMs specific to virtual applications. 

The VOM provides the VAT to the terminal . The VAT 

25 data may be stored the non-volatile memory 234, which 

may be a flash memory, battery-backed SRAM, or hard 
drive if available, or any other non-volatile memory 
available in the terminal. Alternatively, the VAT data 
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may be stored in the volatile memory 232, in which case 
it is simply re-acquired from the network each time the 
terminal is powered on. 

FIG. 3 illustrates the creation of a local VAT for 
5 a terminal based on the terminal's authorized tiers in 

accordance with the present invention. 

VAT data that is received by each MAM configured 
terminal in the network, shown generally at 300, 
includes a number of rows 310, 330, 350 and 370 of 
10 records (va_records) . Records 312, 332, 352 and 372 

contain the identifications (object_application_ID) of 
the first, second, third and fourth applications (i.e., 
Applications No. 1, No. 2, No. 3, and No. 4, 
respectively) . 

15 Records 314, 316 and 318 contain the version 

identifier ( object_version) and required tier 
( virtual_application_tier) for a first application. For 
example, record 314 has a version "1.0" and a required 
tier of "4", record 316 has a version "1.1" and a 

20 required tier of "5", and record 318 has a version 

"1.2" and a required tier of "7". 

As an example, Application No 1. might be an e- 
mail capability, where version 1.0 is a basic version, 
version 1.1 is an enhanced version, and version 1.2 is 

25 a test version. Therefore, the invention allows a 

network operator to control which terminals can access 
which version of Application No. 1. Users who pay a 
small fee can access version 1.0, those who pay a 
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larger fee can access version 1.1, and others can 
access version 1.2, e.g., to provide feedback to the 
network operator as to whether the version 1.2 works 
properly or provides desirable features. 
5 For Application No. 2, record 334 has a version 

"2.0" and a required tier of "5", and record 336 has a 
version "2.1" and a required tier of "6". 

For Application No. 3, record 354 has a version 
"7.5" and a required tier of "8". 

10 For Application No. 4, record 374 has a version 

"1.0" and a required tier of "3", record 376 has a 
version "1.1" and a required tier of "4", record 378 
has a version "2.0" and a required tier of "7", and 
record 379 has a version "2.1" and a required tier of 

15 "8". 

Versions and tiers are numeric values. The 
virtual_application_name is a text string that is 
associated with all versions of a virtual application 
and is displayed on the dynamically built menu if one 

20 of the versions is authorized in the terminal. 

The local VAT data that is authorized at the 
terminal, shown at 355, is assembled from the received 
VAT records 3 00 according to the tier 
{virtual_application_tier) with which the particular 

25 terminal is authorized. In the present example, it is 

assumed that the terminal's authorized rights include 
tiers "4" and "5". The local VAT data 355 and its 
tiers denote an authorization state of the terminal. 



WO 01/31912 



PCT/US00/41085 



In this case, the matching tier requirements in 
the VAT records 3 00 are in records 316, 334 and 376. 
Accordingly, the terminal's local VAT 355 includes 
these records, e.g., stored in the VAT memory 260 of 
5 FIG. 2, as records 316', 334' and 376'. Note that when 

a terminal is authorized to receive two or more 
versions of the same application (e.g., records 314 and 
316) , it is generally desirable to select the most 
recent version (e.g., record 316). Generally, the 

10 required authorization state of an application is said 

to correspond to, or correlate with, the authorization 
state of a terminal when the terminal's security 
processor has received a matching tier via an EMM. 
If there is no matching tier for the terminal, 

15 e.g., as with Application No. 3, the terminal is not 

authorized to receive that application, and it is not 
downloaded. 

It is possible to provide a required tier and/or 
authorized tier that allows a terminal to receive the 
20 highest version of all available applications. 

Note that the VAT data 3 00 shown is only an 
example, and various numbers of applications, versions 
and tiers may be present in the VAT data. 
Additionally, the local VAT 355 may include all, some 
25 or none of the applications in the received home_VAT 

300 . 

FIG. 4 illustrates an example dynamically-created 
menu of the available applications at a terminal in 
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accordance with the present invention. The menu 400 
presents the available authorized applications to the 
user, e.g., on a television screen. Note that the menu 
items correspond to the terminal's local VAT 355. 
5 Each application may have a user- friendly textual 

data ( virtual _name) associated with it. The messages 
provided to the terminal provide this textual data that 
describes the application. This data can be used on 
the display menu 4 00 of the terminal. 

10 For example, referring to the example of FIG. 3, 

Application Nos . 1, 2 and 4 may have the textual data 
"E-mail", "Video -on -Demand, and "Web Browser", 
respectively. 

Optionally, an additional textual string denotes 

15 the version of the application, or the corresponding 

service tier that the user has purchased. For example, 
for marketing purposes the versions may be denotes by 
bronze, silver or gold or the like. 

Using the text associated with applications, the 

2 0 MAM 24 0 of FIG. 2 can dynamically construct a menu of 

authorized applications. 

A user of a terminal can activate this menu and 
launch (e.g., start) one or more of the available 
applications by conventional interface techniques, 

25 e.g., using a key on a remote control. A particular 

key may be reserved on the remote control as a "MAM 
menu button" . 
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Upon receiving VAT data from the controller 120, 
the MAM may build a menu consisting of a list of names 
of the authorized applications. This can be 
accomplished using known software techniques, for 
5 example. The menu may also include an "Exit" item to 

exit the menu. The menu may be implemented as a full 
or partial screen overlay with the audio muted. In 
addition, the front panel LEDs may be cleared while the 
menu is displayed. 

10 A user can activate the display of the menu by 

pressing the "MAM menu button" on the remote control, 
and use the "up" or "down" keys on the remote control 
or on the front panel to scroll through the menu. A 
user can select an application for launch by pressing 

15 the "select" button on the remote control or the front 

panel of the terminal . 

When an application is selected from the menu, the 
MAM 24 0 may inform the downloader 23 0 to enable the 
application, and the application is started (e.g., 

20 launched) . The terminal may tune to a specified 

channel before enabling the application. 

If the user selection is not authorized, or is not 
present in the VAT or in the downloaded objects 
directory, the MAM 240 will try to re-create the menu 

25 and re-display it. After several failed attempts to 

launch a specific virtual application, the terminal 
will resort to some type of graceful recovery action. 
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The user can choose to not select any virtual 
application on the menu, as a result of which the MAM 
will re-enable the previously enabled (i.e. - prior to 
the menu being displayed) virtual application, or 
5 resort to a graceful recovery action that may enable 

the terminal's default virtual application. 

FIG. 5(a) illustrates a method for processing 
configuration and application data in accordance with 
the present invention. Configuration data with a 

10 configure signal are received at the terminal (block 

500) . MAM processes and stores the configuration data 
(block 502) . The terminal then receives application 
data (e.g., VAT data) with version identifiers and 
authorization requirements for each application (block 

15 504) . If this data is new (block 506) , the MAM 

processes and stores the VAT data and the authorization 
requirements (block 510) . If the data is not new, 
processing continues at block 500. 

After MAM processes the received data, it queries 

20 the security processor to locate applications whose 

authorization requirements correlate with the terminal 
authorization rights (block 512) . Based on the 
correlation, the terminal builds and stores its local 
VAT (e.g., database or record) of authorized 

25 applications (block 514) . 

FIG. 5(b) illustrates a method for processing 
terminal authorization rights in accordance with the 
present invention. At block 53 0, control data, 
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including terminal authorization rights (e.g., EMMs) , 
are received at the terminal. If this is new data 
(block 532) , the security processor processes and 
stores the terminal authorization rights (block 536) . 
5 Each terminal can have its own authorization state, 

which may be subsequently replaced or supplemented. If 
the control data and terminal authorization rights are 
not new data, the data is discarded (block 534) . 

FIG. 5(c) illustrates a method for processing a 

10 tune download message in accordance with the present 

invention. Each tune download message that is received 
by the terminal is processed (block 550) . If the tune 
download message is specific to MAM (block 552), a 
determination is made as to whether the terminal's 

15 local VAT has been built (block 554) . If the local VAT 

has been built, it is queried to see if the version of 
the application code associated with the tune download 
message is the highest authorized version (block 556) . 
If it is the highest authorized version, a 

2 0 determination is made as to whether the version of the 

application code is already stored at the terminal 
(block 558) . If not already stored, the terminal 
acquires and stores segments of the application code or 
other firmware (block 560) . Moreover, if MAM is 

25 enabled, any lower versions of the application that 

were replaced by the higher version are erased (block 
562) . 
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If the tune download message is not specific to 
MAM, processing continues at block 558. Note that the 
invention accommodates both MAM and other types of 
application or firmware that can be downloaded to a 
5 terminal . 

If the local VAT has not been built when the MAM- 
specific tune download message was received (block 
554) , or if the version of the application code 
associated with the tune download message is not the 

10 highest authorized version (block 556) , or if the 

version of the application code associated with the 
tune download message is the highest authorized 
version, but is already stored at the terminal (block 
558) , the message is discarded (block 559) . 

15 Note that the processes in FIGs 5 (a) -(c) may 

operate in parallel. Moreover, in accordance with the 
invention, the demands on the security processor are 
minimized. For example, in the process of FIG. 5(a), 
the security processor is queried only when new 

20 application data and authorization requirements are 

received by the terminal. Moreover, in the process of 
FIG. 5(b), the security processor is queried only when 
new terminal authorization rights are received. These 
cases occur relatively infrequently. 

2 5 In contrast, the tune download message (FIG. 5(c)) 

is typically communicated to the terminal relatively 
frequently, e.g., every few minutes. The tune download 
message may be repetitively transmitted in a process 
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known as carouselling . This is necessary so that an 
application can be downloaded by a terminal in a 
relatively short time, and so that downloading can 
begin at any time. Advantageously, there is no need to 
5 query the security processor when processing the tune 

download messages. 

1. Discussion 

In accordance with the invention, a Virtual 
Application Config message (see Section 1.1.2 below) 

10 informs the MAM about which VAT is the default or home 

VAT for the terminal . The receipt of the Virtual 
Application Config Message also places the terminal in 
a conf igured_f or_MAM state. A terminal that has 
received and processed its home VAT is considered to be 

15 in a MAM enabled state. 

The VAT includes one or more VAT records, each of 
which contains various fields related to the virtual 
application . 

The VAT record for an application provides the 

20 virtual application's ID (the obj ect_application_ID 

field) , and specifies version numbers (the 
object_version field) of the application, which may co- 
exist in the digital network. For each version of the 
application, which is listed in the VAT record, a 

25 corresponding authorization tier (the 

virtual_application_tier field) is provided in the 
record. The authorization tiers in the VAT records 
specify the authorization requirements for the virtual 
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application. The MAM provides the authorization 
requirements to the Security Processor module in the 
terminal . The terminal also receives authorization 
rights for virtual applications (and their versions) by 
5 means of EMMs . 

Using the authorization requirements and the 
authorization rights, the security processor informs 
the MAM about the authorization state of each specific 
version of each virtual application. The MAM preserves 

10 this authorization state information in its own 

internal tables in the non-volatile memory 234. After 
the VAT has been processed and the authorization states 
of virtual applications have been determined by the 
MAM, the terminal is in a MAM_enabled state. 

15 The MAM maintains the information from the Virtual 

Application Config and the VOMs, as well as the 
internal tables and authorization state information of 
virtual applications, in non-volatile memory. The 
information is thus preserved through any warm resets 

20 of the terminal. 

TDCMs can now be received and processed by the 
terminal. As part of this invention, in a MAM 
environment, the TDCMs are not required to have a tier 
match decoder condition in the MPEG message preamble in 

25 order to authorize downloads. 

The MPEG Message Preamble Handler does not check 
with the security processor for processing the TDCMs . 
These messages are ultimately passed to the Downloader 
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module in the terminal . The Downloader checks if the 
version of the code object specified in the message is 
or is not already present in the object download 
directory maintained by the Downloader. 
5 If the version is not already present, the 

Downloader inquires of the MAM module about whether 
there is authorization to tune to and acquire a virtual 
application specified in the TDCM. As already 
described above, the MAM maintains the authorization 

10 state information about various virtual applications in 

its internal tables in non-volatile memory. Hence, MAM 
provides information about the authorization state of a 
particular virtual application to the Downloader 
directly from MAM 1 s internal tables. Again, the 

15 Security Processor is not invoked. This unique 

operation of the inventive system avoids the expensive 
security chip processing every time a TDCM is received 
by the terminal. More of the Security Processor's 
resources are therefore available for other decryption 

20 processing, such as video decryption. 

If the definition or authorization requirements of 
a virtual application change or are modified, the 
Controller transmits VOMs containing new VATs with a 
different VAT identifier (ID) , or the same VAT with a 

25 different Sequence Number. When terminals receive this 

new or modified VAT, the MAM module updates its 
internal tables with information about each of the 
virtual applications. The MAM obtains the new 



WO 01/31912 



PCTVUS00/41085 



29 



authorization states for each of the virtual 
applications from the Security Processor by using the 
latest authorization requirements and the latest 
authorization rights (obtained via EMMs) . 
5 Similarly, the MAM obtains new authorization state 

information from the Security Processor for all the 
virtual applications in the current VAT if the terminal 
receives new authorization rights via EMMs. In order 
to provide backward compatibility for terminals in the 

10 network which are not executing MAM capable firmware 

(platform code) , the TDCMs have a newly invented 
conf igured_f or_MAM state match decoder condition. The 
state match decoder condition does not require a 
Security chip processing. The MPEG Packet Processor 

15 simply checks the state of the terminal to determine if 

the message should be processed. 

Terminals not operating MAM capable firmware 
(platform code) are ignorant of the newly invented 
conf igured_f or_MAM decoder condition. The terminals 

20 not configured for MAM will therefore not process the 

TDCMs for virtual applications. 

However, as was noted before, an Electronic 
Program Guide (EPG) has traditionally been the one and 
only application, which even older non-MAM capable 

25 terminals acquired and enabled. Hence, the inventive 

system allows for one application in a MAM environment 
to be regarded as a system wide default virtual 
application. The TDCM for the system wide default 
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application is the only TDCM that relates to an 
application in the digital network which does not 
contain a conf igured_f or_MAM decoder condition. 

The traditional EPG can be designated as the 
5 system wide default application, in which case the TDCM 

for the EPG application does not have the 
conf igured_for_MAM decoder condition, and is be 
processed by all terminals in the network. 
1.1. Detailed Description of the Messages and Data 
10 Structures 

1.1.1. The Newly Created DCII Message Preamble Decoder 

Conditional 

A new enumeration "conf igured_f or_MAM" has been 
defined and added as part of the DigiCipher® II (DCII) 

15 message preamble decoder condition functionality, using 

a previously reserved entry. However, this conditional 
is suitable for use with data communication schemes, 
such as MPEG. DCII is a digital television standard 
proprietary to Motorola Corporation. This decoder 

20 condition is prefixed to certain messages, such as the 

VOM and the TDCM, sent by the controller to the 
terminals. (These messages are described later in 
Sections 1.1.3 and 1.1.4, respectively). Consequently, 
a terminal which has not been conf igured_for_MAM will 

25 not acquire a VAT and become MAM-enabled, nor tune to a 

download channel for acquiring a virtual application. 

The selective use of this decoder conditional also 
allows older terminals that are not upgraded with MAM 
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capable firmware platform code, to continue to operate 
without any detrimental side effects caused by the 
innovations involved with MAM. 

1.1.2. The Newly Created Virtual Application Config 
5 Message 

A new sub-command has been added to the Digital 
Cable Terminal (DCT) Configuration message, by using a 
previously reserved value, and represents the Virtual 
Application Config message. A Virtual Application 
10 Config message is used to configure or de- configure a 

terminal for MAM and to provide MAM configuration 
settings to the terminal. 

Information derived from the Virtual Application 
Config message is kept by the terminal in non-volatile 
15 memory, in order to preserve it through (warm) resets 

of the terminal . 

The significant fields in the Virtual Application 
Config message are described in Table 1 below. 



Table 1: Significant Fields in a Virtual Application Config Message 



Name of Field 


Description 


config_for_multi_apps 


This field, if set to "yes" configures a terminal for MAM. The 
terminal is then considered to be in a configured Jor_M AM 
state. 

The terminal will then be able to receive other messages 
which have the configured_for_MAM decoder condition in 
the DCII message preamble. 

If this field is cleared to "no", the terminal will no longer be 
configured for MAM, nor enabled for MAM. 
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home_VAT_ID 


This field identifies a VAT which must be used by the 
terminal as the terminal's default VAT (home_VAT). 

(The VAT is described in 1 .1 .3). 


defauit_application_ID 


This field identifies an application which will be the default 
virtual application for the terminal. 

(This ID correlates to the object_application_ID of a virtual 
application in the home_VAT). 


volatile_memory_config 


This specifies the number of bytes of volatile memory that 
the terminal allocates and make available for the download 
of virtual applications other than the default virtual 
application. 



1.1.3. The Newly Created Virtual Object Message 

A new DCII message type has been created by using 
a previously reserved value, and represents the Virtual 
Object message. 

5 A Virtual Object message is used to deliver a VAT 

to a terminal. This message is carried in the network 
stream and may be sent either broadcast-addressed, 
multicast-addressed or singlecast-addressed to the 
terminal, using segmentation overlay. The controller 

10 (e.g., the DAC) prefixes the virtual object message 

with a configured_for_MAM decoder condition in the 
message preamble. 

Therefore, only terminals, which are 
conf igured_f or_MAM, will process this message. 

15 This ensures that terminals, which are not running 

a MAM capable firmware (platform code) , will fail the 
decoder condition test, and will not acquire a Virtual 
Application Table. 
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A terminal is considered to be in a MAM enabled 
state if it is configured_for_MAM and has completely- 
acquired its home_VAT (described in Section 1.1.2 
above) . Information derived from the Virtual Object 
5 message, including the VAT, is kept by the terminal in 

non-volatile memory, in order to preserve it through 
(warm) resets of the terminal. 

The significant fields in the Virtual Object 
message are described in Table 2 . 

1 0 Table 2: Significant Fields in a Virtual Object Message 



Name of Field 


Description 


table_subtype 


This field can be used to specify that this VOM contains a VAT. 


VATJD 


This field specifies an identifier for the VAT contained in this 
message. 

The ID maybe the same as the home_VAT_ID from the Virtual 
Application Config message described in Section 1.1.2. 


sequence_number 


This field serves as a version number for the VAT. 

If the sequence _number 'for the VAT included in this message is 
different from the sequence _number associated with the VAT 
with the same VATJD already present in the terminal, then it 
implies that the VAT has changed. 


number_of_va_records 


This field specifies how many VAT records are present in the 
VAT included in this message. 


va_record 


This is an array of VAT records constituting the VAT. 

Each record identifies a virtual application. One of the records 
may identify the virtual application whose default_application_ID 
was given in the Virtual Application Config message (described 
in Section 1.1.2). 



Table 3 describes the significant fields in each 
record of a Virtual Application Table (VAT) . 
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Table 3: Significant Fields in a "vajrecord" in a Virtual Object 



message 



Name of Field 


Description 


object_application_ID 


This field contains a numeric identifier for the virtual application. 

The identifier must be unique between all va_records within a 
VAT. 


VCT_source_ID 


This is a list of identifiers of programming "sources" which are 
associated with the virtual application. 

The terminal may use these values to obtain a virtual channel to 
be tuned to before enabling the virtual application. 


VCT_application_ID 


This is a list of identifiers of "services" associated with the virtual 
application. 

The values and usage are the same as described for 
VCT source ID above. 


objecLversion 


This is a list of version numbers for each of the versions, which 
can exist, of a virtual application . ! 

The terminal will enable the highest version, which can be 
authorized. 


virtual_application_tier 


This is a list of authorization tiers for the virtual application, one 
per version. (All versions of an application may have the same 
or different tiers). 

This specifies the authorization requirements for the versions of 
the virtual application. 


virtuaLname 


This is a multi-lingual text string of printable ASCII characters. 
The name can be used for on-screen displays at the terminal. 



1.1.4. The Modified Definition of the Tune Download 
Channel Message 

5 This message, which is a sub-command of the DCT 

Download Control message, has been modified. The 
definition of the tune_download_function_field has been 
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enhanced. A previously- reserved value has been re- 
defined to specify whether the message applies to a 
"virtual_application" or to a fixed or standard 
application. 

5 The Tune Download Channel message for all virtual 

applications (except for a system wide default 
application) must contain the configured_for_MAM 
decoder condition in the message preamble. Therefore, 
only terminals which are conf igured_f or_MAM, will 

10 process this message. This ensures that terminals, 

which are not running a MAM capable firmware platform 
code will fail the decoder condition test, and will not 
acquire a virtual application. 

If a virtual application is specified in the Tune 

15 Download Channel message, the virtual application is 

identified by the obj_application_ID field in the 
message. This virtual application then correlates to 
the one identified by the object_appli cation_ID field 
in one of the records of the Virtual Application Table 

20 (the home _V AT) maintained by the Multiple Application 

Manager. Moreover, the obj_application_ID, 
tune_obj ect_name and tune_Ojbject_version in the Tune 
Download Channel message should correlate with the 
application_ID, object_name and obj ect_version in the 

25 DCT Download message for the virtual application. 

The Tune Download Channel message for the system 
wide default virtual application is an exception. The 
configured_for_MAM decoder condition is not used for 
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this default application. Consequently, all terminals 
will always be able to acquire the system wide default 
application. 

1.1.5. The Modified Functionality of the Download 
5 Control Message 

This message, which is also a sub- command of the 
DCT Download Control message, has modified 
functionality as an implication of the invention. 
Since the MAM has the information (via the VAT) about 

10 which applications must be enabled, disabled, purged, 

etc., the Downloader can no longer directly act on the 
receipt of the Download Control sub-command message. 
Therefore, if MAM is enabled on a terminal, the 
"disable", "delete" and "purge" functions specified in 

15 a DCT Download Control sub-command message, for virtual 

applications, are ignored by the Downloader module in 
the terminal . 

In addition, if MAM is enabled, the "enable" 
function specified in a DCT Download Control sub- 

20 command message for a virtual application causes the 

Downloader to interrogate the Multiple Application 
Manager module to see if the application should indeed 
be enabled. The MAM responds back with information 
whether to enable or disable the virtual application. 

25 1.1.6. The Modified Functionality of the Virtual 

Channel Config Message 

This message, which is a sub-command of the DCT 
Config message, has modified functionality as an 



WO 01/31912 



PCT/US00/41085 



37 



implication of the invention. If MAM is enabled, the 
terminal will disregard the turnon_VC_defined, 
turnon_VC, turnoff_VC_de fined and turnoff_VC fields 
specified by this message if the default virtual 
5 application has a defined VCT_source_ID . In this case, 

the terminal will cune to the channel associated with 
the VCT_source__ID given for the default virtual 
application . 

Conclusion 

10 It should now be appreciated that the present 

invention provides a system architecture for managing 
the security aspects of multiple applications in large 
scale networks. In particular, the processing load of 
a security processor is reduced by configuring a MAM to 

15 determine if frequently- transmitted application data 

should be downloaded. The security processor 
configures an authorization state of the terminal. In 
response, the MAM build a local virtual application 
table that indicates which applications are authorized 

20 for downloading, i.e., the applications whose required 

authorization state correlate with the terminal's 
configured authorization state. 

Although the invention has been described in 
connection with various preferred embodiments, it 

25 should be appreciated that various modifications and 

adaptations may be made thereto without departing from 
the scope of the invention as set forth in the claims . 
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For example, the principles of the invention can 
be extended to authentication, authorization and 
billing of operating systems, scripting language 
content (e.g., web pages) and the like. 
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What is claimed is: 

1. A method for processing data in a digital 
user terminal, comprising the steps of: 

providing data to the terminal that includes at 
least terminal authorization rights, configuration 
data, and download messages; 

the download messages comprising application data 
for applications that are executable on the terminal; 

said applications having associated required 
authorization requirements; 

processing the terminal authorization rights at a 
security processor at the terminal to configure an 
authorization state of the terminal; 

processing the configuration data at a multiple 
applications manager at the terminal to configure the 
terminal to receive the application data; 

the multiple applications manager querying the 
security processor to establish a database of the 
applications whose required authorization states 
correlate with the terminal's authorization state; and 

processing the download messages to determine 
whether to download or discard the application data 
received at the terminal in accordance with the 
database . 



2. The method of claim 1, wherein: 
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the download messages are processed at a 
downloader associated with the multiple applications 
manager without querying the security processor. 

3. The method of claim 1, wherein: 

the security processor processes new terminal 
authorization rights that are received at the terminal 
to update the authorization state of the terminal . 

4. The method of claim 3, wherein: 

the multiple applications manager queries the 
security processor to establish an updated database of 
the applications whose required authorization states 
correlate with the terminal's updated authorization 
state . 

5. The method of claim 1, wherein: 

the multiple applications manager queries the 
security processor to establish an updated database of 
the applications whose required authorization states 
correlate with an updated authorization state of the 
terminal . 

6. The method of claim 1, wherein: 

the download messages are repetitively transmitted 
to the terminal . 



7. The terminal of claim 1, wherein: 
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the security processor is free to perform other 
tasks while the download messages are processed. 

8. The method of claim 1, wherein: 

the user terminal is in a broadband communication 
network . 

9. A digital user terminal for processing data, 
comprising : 

means for providing data to the terminal that 
includes at least terminal authorization rights, 
configuration data, and download messages; 

the download messages comprising application data 
for applications that are executable on the terminal; 

said applications having associated required 
authorization requirements; 

a security processor for processing the terminal 
authorization rights to configure an authorization 
state of the terminal; 

a multiple applications manager for processing the 
configuration data to configure the terminal to receive 
the application data; wherein: 

the multiple applications manager queries the 
security processor to establish a database of the 
applications whose required authorization states 
correlate with the terminal's authorization state; and 

a downloader associated with the multiple 
applications manager for processing the download 
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messages to determine whether to download or discard 
the application data received at the terminal in 
accordance with the database. 

10. The terminal of claim 9, wherein: 

the downloader processes the download messages 
without querying the security processor. 

11. The terminal of claim 9, wherein: 

the security processor processes new terminal 
authorization rights that are received at the terminal 
to update the authorization state of the terminal. 

12. The terminal of claim 11, wherein: 

the multiple applications manager queries the 
security processor to establish an updated database of 
the applications whose required authorization states 
correlate with the terminal's updated authorization 
state . 

13. The terminal of claim 9, wherein: 

the multiple applications manager queries the 
security processor to establish an updated database of 
the applications whose required authorization states 
correlate with an updated authorization state of the 
terminal . 



14. The terminal of claim 9, wherein: 
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the download messages are repetitively transmitted 
to the terminal. 

15. The terminal of claim 9, wherein: 

the security processor is free to perform other 
tasks while the download messages are processed. 

16. The terminal of claim 9, wherein: 

the terminal is in a broadband communication 
network . 
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